The ICO has finally blown the metaphorical doors off it, handing down a fine of £325,000 to an NHS Trust for what charitably be described as an absolute shocker of a data breach

You can read for yourself the details here, and the general squirming of the organisation as it attempts of get out of coughing up the whopping fine. Interesting to note the use of the word Austerity in a mitigation plea for the first time. More of that in a moment

To my mind, this illustrates Graeme’s 3 Laws of Information Security down to a tee. The Laws are:

Law Number One: You Cannot Outsource Risk. It’s yours, and yours alone
Law Number Two: By implication of #1, you cannot outsource liability.
Law Number Three: Don’t Get Caught

Admittedly, number three is borrowed from The Eleventh Commandment of the Security Services (‘Thou Shalt Not Get Caught’). But it’s the first two that are of use here when we examine the case.

The reality of the situation is, an organisation was employed to dispose of the data properly. For whatever reason, it didn’t happen. One would hope that the Trust had in place contractual obligations and penalties for breach of these obligations, BUT, it’s still the data belonging to patients of the Trust, collected and used by The Trust. That ownership is not transferred just because a contractor is handling the media. And that ownership has explicit meaning when it comes to liability. The ownership of the risk is never transferred, and so the Trust is liable.

The next question is regarding the fine, and its likely payment. I’ve raised before that the ICO will never have credibility (and therefore change behaviours, as is its purpose in life right now) until it hands out a big fat fine. Big fat fines work because they have more chance of impacting front line services, generating lots of adverse PR, comment and general wailing and gnashing of teeth. This appears to be the case here.

The downside is, by playing the Austerity card and maybe referencing the precedent of the ICO quietly reducing fines (again, covered by me in the past), they will probably get away with coughing up less cash than they’ve been fined.

The irritation of all of this is that it an appalling breach, clearly far worse than any offcially made public so far, and therefore demands the worse fine so far. I just fear that weasel words and precedent will render the process impotent.

AV (or anti malware as we all insist on calling it now) is hardly the sexy end of the security market place. It is the bread and butter of our world, and much like bread and butter, you can buy it in Lidl and you can buy it in Waitrose, but it’s still just the bit around the bacon in a bacon sandwich. And I don’t quite know where my analogy is going here, because now all I can thinkof is the smell of bacon…

Anyway. You get my point.

Yet year after year, various vendors stand up and announce the imminent demise of the AV industry and AV as a technology. I’ll put money on the fact that someone did it at InfoSec this year. And every year, we all roll our eyes and smile because each time someone has a different reason as to why (although it usually reeks of ‘PR stunt’). Software vendors expand their offering by buying other companies and inventing new stuff, but the AV bit of their business remains rock solid.

The actual article has as its key theme the fact that this enforced network downtime is driving human contact between staff and clients, and this appears to be something that everyone is enjoying, despite the fact the actual business of the Agency is grinding slower and slower. This is an interesting theme and one that is preaching to one of my pet hates, people emailing me from two desks down. However, buried in the middle of the article is the fact that they are rebuilding the network from scratch The quaint and curious idea of actually talking to people is a lovely rose tinted ideal, but the lack of productivity tools is going to strangle the operation eventually, sending costs sky high.

So in the last 12 months, I’ve noted at least 3 very silly software vendors saying that AV is dead, and their widget with its new, next gen, 100% uptime, intuitive GUI thing renders AV obsolete. And my response, is really? Honestly really really? Nope, thought not. It’s not sexy, it’s not cool, and today’s threats demand additional tools but AV is still important, and you dismiss it at your peril.

Another year passes, and certain things change, and certain things remain the same

The things that change can often appear to be bad (I have now got 7 grey hairs for example), and the things that stay the same are often also as bad (how come there are large stretches of the motorway coned off, yet nobody is working? Why is Michael Macintyre still working?)

One of the things that has both of these elements is InfoSec. This year’s 3-day extravaganza of the great and the good from the UK InfoSec community had some things that looked the same, and some things different. The things that looked the same were:

I have commented on all three of these before, but please can I urge Marketing types at vendors to think again about the ladies. It’s not a Detroit Motor Show from the 1970’s, and you do yourselves and the rest of us a disservice. If the only way we can generate interest in our profession is with ample bosom, then you should perhaps reconsider your approach and messaging. Nothing wrong with attractive people on your stand (Sophos is blessed with a plethora), but T&A Security is not a strategic approach.

Anyway, the changes I noticed were very interesting.

The first was the fact that the delegate profile was different. In previous years, InfoSec was a nice jolly out of the office for some people. This year, one can only assume for budgetary reasons, there were less tyre kickers, and the quality (from a supply side perspective) of delegates were so much better and therefore will generate a better return (make no mistake my demand-side readers, that’s what InfoSec is about. We do the show to generate business. There: I’ve said it now. Gosh).

The second thing I noticed was the quality of the tat/schwag/crap was down. You can put this down to the same reason for less tyre kickers, less money. We at the Sophos stand ran ‘Tat Swap Shop’ on the Wednesday where delegates could proffer the worst items of vendor tat and swap it for a bottle of poo. Some of the offending items were genuinely fun (I apologise profusely for the gentleman I made stand up, wave his plastic sword around and yell “by the power of Greyskull”) and some were bewilderingly awful. The small clear plastic box of shredded hard drive being probably the oddest. What precisely are the children going to do with that? Get beryllium poisoning? Marketing types note: show tat gets given to our children because we are feeling guilty about being away. They rarely sit on desks in offices. A chewed up drive is not going down well with the kids or the missis.

The final change I noticed was the general industry movement towards bring your own device/software/sandwiches as a topic. For years the Industry has been banging on about mobile computing as a topic. This year felt like the hype was turning into real solutions, albeit with a huge amount of noise and general sabre rattling. However, since this is the usual MO from both demand and supply side, it’s hardly unexpected. It looks like InfoSec 2012 was the time when mobile and security risk it poses finally went mainstream. My advice to Marketing types here is simple, keep it realistic, keep it as free from hype as you can and we will all stay happy.

All in all, I think InfoSec 2012 was a good show, and as one of the few people in the industry who genuinely looks forward to it and enjoys every second, I’m looking forward to next year already.

PS Thank you Les Wells. Comments noted and I shall try to get writing more often 🙂

As occurs on a weekly basis, Public Servant magazine has an article about public sector data breaches and what Government should do about them. This one was by the venerable Graham Kemp of SAS and it’s one I have to take issue with.

Graham suggests that there is a simple solution to breaches, and covers at a high level the solution. Well, I’m sorry, but I feel he’s missed something, as the solution is not technical or procedural, but a macro problem.

The problem with data breaches is two-fold:

1. No one cares
2. The punitive damages incurred are too small

I’ve covered the second point many many times. While the ICO’s top limit for fining remains at £500k, there is little disincentive. There is a need for proportionality within this limit, otherwise the ICO might incur appeals based on the proportionality concept, so he can’t just hand out 500k fines every time. If an organisation receives a £70k fine, but it’s perceived that to implement meaningful remediation technology and processes will be much more, no-one is going to do it or care. They’ll take the chance and pay the fine if they get caught out (think about speeding fines: we all do it accidentally from time to time and acknowledge the risk). This was the reason why the soon-to-be-defunct FSA had unlimited fining powers. There’s no point fining a Bank £70k when it probably spends more on toilet roll and flowers for reception on a weekly basis, so the FSA handed out seven figure sums. This is slightly more painful and generates press coverage. Fining a Police Force 70k is not going to generate the kind of press coverage that makes the damages punitive beyond scraping together the pennies to pay for it.

The first point is more interesting. Ask Joe Public ‘would you be happy if your Council lost your personal details?’ and the answer would be a resounding ‘Hell, no’. But most people don’t understand what has happened, and frankly are more worried about their gas bill, the price of a bottle of wine to soothe the pain on a Friday evening or how much a litre of diesel now costs so they can get to work to earn a crust.

It’s the reason why nobody cares about the green agenda right now. Polar bears are cute (unless you are actually face to face with a hungry one) and look great on an HD telly with a soothing Attenborough voice-over. But seriously, I’m skint, and adding tax to my fuel bill just makes me worry about my own, rather than whether a two-ton teddy bear has enough ice to live on. So sod the bear, make the fuel cheaper please.

We are never going to eradicate data breaches until Joe Public feel it’s in their interest to get involved (see fox hunting, fuel blockades, X Factor for when they do) and until it does, no software and procedural changes are going to make the slightest difference.

Last week brought us a supposed landmark in the life of the ICO. They handed out the first fine to a Police Force, rapping Lancashire over the knuckles for losing some stuff, and having slapdash procedures. Bad Policemen. The resulting £70,000 fine will undoubtedly be paid for out of contingency cash, but at a time when Police funding is getting headlines for all the wrong reasons, one imagines somebody somewhere at Lancs Police HQ got an almighty telling off. Or you’d hope so…

So, all good right? Ummm. No. Because thanks to an FOI request made to it, it seems that in certain cases, actual fines levied by the ICO were less than that announced. In a rather interesting piece of work, Out-Law.com asked for the actual fines paid by a number of organisations. Guess what? Some organisations got reductions, and some had huge amounts shaved off their fines, but ironically, in many cases the ICO refused to answer the question, stating:

“It is likely that disclosure of all the information you [Out-law.com] have requested would prejudice the monetary penalty process. It is important to point out that we do recognise that the cases you reference in your request are completed. However, we consider that the prejudice would occur to the overarching process and we have to be mindful of the possible prejudice to any future cases,”

It’s all a bit odd. The ICO are fining organisations (rightly) even though they are clearly in financial schtuck, then backing off the fines in some cases, and then refusing to explain why.

I think some more work is required here, as this doesn’t feel about right. Fines are supposed to be punitive. Fines are supposed to be a deterrent. Setting precedent whereby organisations no matter how cash strapped can reduce the already (relatively) low sums involved is unhelpful to say the least

I’d like to see bigger fines, and I’d like to see why organisations are getting off and the reasons why.

Let’s be blunt here. If I sit through another presentation telling me that the world is going to end because the guys in accounts want to use their iPads, and that it’s a terrible risk and the worlds going to end, I’m going to puke. If I hear the phrases paradigm shift or Generation X, or hear another commentary on how people aren’t going to take jobs because they can’t use their smartphone, I may well get punchy.

Stop it, all of you. It’s utter rubbish. Marketing types and sales people from West Coast vendors along with people in ICT Departments, I’m looking at you. Shame on you. And I’m going to explain why right now.

Technology is by default, an enabler. Unless you actually sell the technology, you use technology to allow you to deliver stuff and services to people or meet business objectives. That is it. There are implications of doing something a certain technical way, and you can mitigate any issues with a bit more technology or some process.

Technology is in a constant state of change, and we in industry invent stuff, wrap it up in shiny shiny ribbons and then sell it to customers. And the technology that really sells is the stuff that allows customers to meet their objectives cheaper and faster. But this isn’t a stop-start process, it’s a constant flow. Rarely do you find a genuinely game-changing moment, a revolutionary technology. To my mind, I can think of 3 in the last 30 thirty years:

1. PC adoption by business (because it increased productivity and therefore reduced costs, making products or services cheaper for customers to buy/use)

2. Mass adoption of the internet (because it increased productivity, made customers easy to contact and reduced costs, making products or services cheaper for customers to buy/use)

3. Virtualisation (because it reduced costs of deploying servers, making products or services cheaper for customers to buy/use)

Reducing your cost of supplying/transacting means it’s more attractive/profitable to do that thing.

And BYOD is just a manifestation of this. Applications are delivered via browser, because it’s cheaper than having standalone apps. Browsers run on any device practically these days (I am waiting for Firefox for my fridge. It’s only a matter of time). Apples, HTCs and Samsungs are shiny and cute and have browsers. People want to use shiny and cute, and they like the idea of having their personal life and work life on one machine (apparently. Personally I think this is just plain weird). So they want to use their own devices. And here’s the IMPORTANT BIT: if there is a business case to do so, do it. If there isn’t, don’t. If it makes your business more productive, reduces transaction costs then just do it. If it doesn’t, don’t.

And here’s the next reality check. We’ve done this before. Yep. We are just rehashing the arguments of 15 years ago when we gave our staff laptops. They took these devices, with corporate data on, and roamed the streets. We fretted about the security of the data. We fretted about them losing the devices. We fretted about them misusing the devices, either by accident or maliciously. We fretted about them surfing naughtily on these devices. So we put in place remediations to those issues and we got on with it.

The fact that BYOD changes the construct of the relationship with the IT Department slightly is called… change. But it’s hardly a (shudder) paradigm shift. It’s hardly new. We’re going to make sure these devices are fit for business purpose, and then we are going to secure them appropriately.

One of the joys of this blogging lark is that I get to do one of my favourite things, which is be a bit grumpy, or more formally, challenge orthodoxy

Challenging orthodoxy is something of a hobby of mine, and it does quite often get me into trouble or irritates colleagues. From sitting in meetings and asking people to relay what they’ve said to me in English, as opposed to industry gibberish, to staring at policy types in Government and asking ‘why?’ repeatedly, there is actually a point to me being awkward. The point is quite often in our world, the bureaucratic process obscures the often good intention and renders process at best painful, at worst counter-productive.

I have a myriad of stories I could relate of experiences across various bits of the Public Sector where Compliance to various things has actually made matters worse. One of my favourite relates to a time a few years back where a Local Authority blatantly fibbed to its auditors on GCSX compliance to achieve its rubber-stamp. It was only a little white lie, based predominantly on a desperate need to achieve the connectivity and an IT section starved of resources. Nobody was hurt, and to my knowledge, that Authority has not had a (reported) breach. But the raft of impending regulations from the EU, the changes in the legislative landscape in the US (and therefore coming to a European legislature near you soon) and the continuing drip drip drip of ICO rulings on people breaching in the country makes me wonder.

Is it possible that a culture of Compliance is counterproductive? Off the top of my head there are: PSN, GCF, GCSX, N3, GSi, PNN, CPA, CAPS, PCI DSS and a library’s worth of stuff from CESG. A veritable flood of three letter acronyms, all of which have whopping great documents, with controls that need to be adhered to. And IT/Security sections spend a huge amount of time diligently working through them, writing things and buying stuff to prove they are meeting the criteria. Could it be that the very act of doing this means they are forced to take their eye off the ball, ignoring issues in the real world? Much like learning to drive, where you go to driving school to learn how to pass your test, is it possible that the large collection of standards, connectivity controls, best practice* and advisories merely obscure the real world set of requirements? Could it be that there is simply just too much of this stuff?

I know several ITSOs (IT Security Officers) that do huge long-suffering sighs at the merest mention of new guidelines. All these new guidelines do is create extra work and extra bureaucracy, most of the time writing weaselly words as to why what they have (that suits them and their business) fits into the latest and greatest thinking from those in the know. And by in the know, I mean looking at security as a single topic, rather than an in-the-round enabler for business to happen.

I’m not saying don’t have regulatory controls and good practice, I’m just saying that the volume of it means quite often it’s a tick box exercise, divorced from the realities, which cost time and money to do, and can distract from actually ensuring that the organisation is fundamentally secure.

*I hate the phrase best practice. How can something be best practice be ‘best’ when at most its informed opinion? Let’s call it good practice and stop pretending eh? To be fair to CESG, at least they call their stuff Good Practice Guides